1+ name : " PR# 4373 - Impersonation: Social Security Administration (SSA)"
2+ description : " Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and length(attachments) < 15
8+ // Identifies as SSA without catching strings such as "Alyssa"
9+ and (
10+ regex.contains(sender.display_name, '^SSA\b')
11+ or strings.icontains(sender.display_name, "Social Security Administration")
12+ // there are confusables in the display name
13+ or (
14+ strings.replace_confusables(sender.display_name) != sender.display_name
15+ and strings.contains(strings.replace_confusables(sender.display_name),
16+ "SSA"
17+ )
18+ )
19+ or any([sender.display_name, subject.subject],
20+ regex.icontains(strings.replace_confusables(.),
21+ 'Social (?:benefits|security)',
22+ )
23+ )
24+ or (
25+ any(attachments,
26+ .file_type in ("doc", "docx")
27+ and any(file.explode(.),
28+ strings.icontains(.scan.strings.raw,
29+ "Social Security Administration"
30+ )
31+ )
32+ )
33+ )
34+ // display name or subject references a statement
35+ or (
36+ any([sender.display_name, subject.subject],
37+ regex.icontains(strings.replace_confusables(.),
38+ '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
39+ )
40+ )
41+ // with SSA impersonation in the body
42+ and strings.icontains(body.current_thread.text,
43+ 'Social Security Administration'
44+ )
45+ )
46+ or any(html.xpath(body.html, '//title').nodes,
47+ (
48+ strings.icontains(.inner_text, 'Social Security')
49+ and (
50+ strings.icontains(.inner_text, 'Statement')
51+ or strings.icontains(.inner_text, 'Notification')
52+ or strings.icontains(.inner_text, 'Document')
53+ or strings.icontains(.inner_text, 'Message')
54+ or strings.icontains(.inner_text, 'Important Update')
55+ or strings.icontains(.inner_text, 'Benefit Amount')
56+ or strings.icontains(.inner_text, 'Account')
57+ or strings.icontains(.inner_text, 'Authorization')
58+ )
59+ )
60+ or .inner_text =~ "Social Security Administration"
61+ or .inner_text =~ "Social Security"
62+ )
63+ )
64+
65+ // Not from a .gov domain
66+ and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
67+
68+ // Additional suspicious indicator
69+ and (
70+ any(ml.nlu_classifier(body.current_thread.text).topics,
71+ .name in ("Security and Authentication", "Secure Message")
72+ and .confidence == "high"
73+ )
74+ or any(ml.nlu_classifier(body.current_thread.text).entities,
75+ .name == "org" and .text == "SSA"
76+ )
77+ or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
78+ or strings.icontains(strings.replace_confusables(body.current_thread.text),
79+ "Social Security Statement"
80+ )
81+ or regex.icontains(body.current_thread.text,
82+ "(?:view|open) (?:your|the).{0,8} (statement|document)"
83+ )
84+ or regex.icontains(body.current_thread.text,
85+ "(?:view|open|assess|evaluate|review|conduct|read|scan)"
86+ )
87+ // real SSA phone number
88+ or strings.icontains(body.current_thread.text, "1-800-772-1213")
89+ or any(body.links,
90+ any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
91+ .named_groups["ext"] in $file_extensions_executables
92+ )
93+ )
94+ or any(ml.logo_detect(file.message_screenshot()).brands,
95+ .name == "SSA" and .confidence == "high"
96+ )
97+ or (
98+ any(attachments,
99+ .file_type in ("doc", "docx")
100+ and any(file.explode(.),
101+ strings.icontains(.scan.strings.raw, "suspended")
102+ or strings.icontains(.scan.strings.raw, "fraudulent")
103+ or strings.icontains(.scan.strings.raw, "violated")
104+ or strings.icontains(.scan.strings.raw, "false identity")
105+ or regex.icontains(.scan.strings.raw,
106+ '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
107+ '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
108+ )
109+ )
110+ )
111+ )
112+ )
113+ and not any(ml.nlu_classifier(body.current_thread.text).topics,
114+ .name in (
115+ "Newsletters and Digests",
116+ "Advertising and Promotions",
117+ "Events and Webinars",
118+ "Charity and Non-Profit",
119+ "Political Mail"
120+ )
121+ and .confidence == "high"
122+ )
123+ // not a forward or reply
124+ and (headers.in_reply_to is null or length(headers.references) == 0)
125+ and (
126+ not profile.by_sender().solicited
127+ or (
128+ profile.by_sender().any_messages_malicious_or_spam
129+ and not profile.by_sender().any_messages_benign
130+ )
131+ )
132+ and not (
133+ sender.email.domain.root_domain in $high_trust_sender_root_domains
134+ and coalesce(headers.auth_summary.dmarc.pass, false)
135+ )
136+ attack_types :
137+ - " BEC/Fraud"
138+ - " Credential Phishing"
139+ tactics_and_techniques :
140+ - " Impersonation: Brand"
141+ - " Social engineering"
142+ detection_methods :
143+ - " Content analysis"
144+ - " Sender analysis"
145+ - " URL analysis"
146+ id : " 216897d2-a21f-54b7-9b5e-ab46d1b8bebd"
147+ tags :
148+ - created_from_open_prs
149+ - rule_status_modified
150+ - pr_author_cybher0808
151+ references :
152+ - https://github.com/sublime-security/sublime-rules/pull/4373
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments